(RK-243) Refuse to generate rugged credentials more than once.

The new behavior as of libgit2/rugged 0.24.0 is to continue to call the credentials callback until either it raises an error or the server gives up. Since neither was happening, invalid credentials were leading to an infinite retry loop.
puppetlabs · May 16, 2016 · 5d67cd2 · 5d67cd2
1 parent b945b88
commit 5d67cd2
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 0 deletions.
diff --git a/lib/r10k/git/rugged/credentials.rb b/lib/r10k/git/rugged/credentials.rb
@@ -12,9 +12,17 @@ class R10K::Git::Rugged::Credentials
   # @param repository [R10K::Git::Rugged::BaseRepository]
   def initialize(repository)
     @repository = repository
+    @called = false
   end
 
   def call(url, username_from_url, allowed_types)
+    # Break out of infinite auth retry loop introduced in libgit2/rugged 0.24.0.
+    if @called
+      raise R10K::Git::GitError.new("Authentication failed for Git remote #{url.inspect}.")
+    else
+      @called = true
+    end
+
     if allowed_types.include?(:ssh_key)
       get_ssh_key_credentials(url, username_from_url)
     elsif allowed_types.include?(:plaintext)

diff --git a/spec/unit/git/rugged/credentials_spec.rb b/spec/unit/git/rugged/credentials_spec.rb
@@ -99,5 +99,10 @@
     it "creates default credentials when no other types are allowed" do
       expect(subject.call("https://tessier-ashpool.freeside/repo.git", nil, [])).to be_a_kind_of(Rugged::Credentials::Default)
     end
+
+    it "refuses to generate credentials a second time" do
+      expect(subject.call("https://tessier-ashpool.freeside/repo.git", nil, [:plaintext])).to be_a_kind_of(Rugged::Credentials::UserPassword)
+      expect { subject.call("https://tessier-ashpool.freeside/repo.git", nil, [:plaintext]) }.to raise_error(R10K::Git::GitError, /authentication failed/i)
+    end
   end
 end